← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
In April 2026, threat actors deployed Nimbus RAT against a legal industry target using Microsoft Teams voice phishing. The attack began with email bombing (282 emails in 90 minutes), followed by a fake IT helpdesk contact via Teams who convinced the victim to grant Quick Assist remote access. Within 20 minutes, a Java-based RAT was deployed that uses Google Drive and Google Sheets for command-and-control, making network traffic appear benign. Analysis of 1,540 suspicious Teams messages across 172 customer environments over 12 months revealed 65% originated from throwaway onmicrosoft.com tenants with IT-themed names. The malware bundles its own Java runtime, implements two credential theft mechanisms, and allows in-memory second-stage code execution. Post-compromise targeting included Signal Desktop attachments and Outlook mailboxes.
MITRE ATT&CK & Malware Families
Indicators of Compromise (12)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 44f6101dd8171133f53317bfd752300e | — | 2026-05-30 | |
| FileHash-SHA1 | fab69acd743f4111b749e3268690825c38822e62 | — | 2026-05-30 | |
| FileHash-SHA256 | 91e523a46f3bb860ac2e5800b7e1ec89d75a2408410b9cd25eebc17c8d7a92bc | — | 2026-05-30 | |
| FileHash-SHA256 | 99813f3d0625e880158c68039c0e2fbf488db0be3db77cd1ce6d382644193f0e | — | 2026-05-30 | |
| FileHash-SHA256 | 9e5b1e10ad6904d3f5b48d38470cd57263974640a27d13cf793ef026d3d6b886 | — | 2026-05-30 | |
| domain | helpdock.top | — | 2026-05-30 | |
| domain | info-secure.top | — | 2026-05-30 | |
| domain | scan-security.top | — | 2026-05-30 | |
| domain | scanseq.top | — | 2026-05-30 | |
| domain | serviceprohub.top | — | 2026-05-30 | |
| domain | system-clean.top | — | 2026-05-30 | |
| domain | updt-scansecurity.top | — | 2026-05-30 |